ASA SMTP capture

Unanswered Question
Mar 6th, 2009
User Badges:

Urgent help


Our ISP have black listed us due to them recieveing lots of SMTP traffice from us.


We need to find out the source of the issue from the inside sending SMTP traffice to outside.


Is their a way to capture smtp traffice on the ASA. and also who is sending it.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Fri, 03/06/2009 - 07:42
User Badges:
  • Purple, 4500 points or more

Here's a quick fix you should do first. In your ACL permit your internal mail server to send SMTP and block everyone else. This should go at the top of your ACL.


access-list inside_acl permit tcp host mymailserver any eq smtp

access-list inside_acl deny tcp any any eq smtp log


That will prevent the email from getting out sourcing from anything other than your approved mail server. Next you can take a look at your logs and see who is getting denied. The logs are generated from the log keyword at the end of the ACL line #2.


Hope that helps.


You can run a capture on the ASA.


1) Create an ACL to identify the traffic you want to capture


access-list TEST permit tcp any any eq smtp


2) Create the capture statement:

capture MY-CAP access-list TEST interface inside


If you want to see the entire packet you would need to add the "packet-length 1522"

capture MY-CAP access-list TEST packet-length 1522 interface inside


You can then do a "show capture MYCAP" to see the traffic.


If you want to download the capture to a sniffer, you have to do that while the capture is running you do that from a browser with the URL https:///capture//pcap


NOTE: This assumes that the interface on your ASA is named "inside"

Actions

This Discussion